Setting Up a Cisco Unified Communications Manager SIP Trunk Integration
This chapter provides instructions for setting up a Cisco Unified Communications Manager SIP trunk integration with Cisco Unity Connection. This document does not apply to the configuration in which Unity Connection is installed as Cisco Business Edition—on the same server with Cisco Unified CM.
Note |
If you are configuring MWI relay across trunks in a distributed phone system, you must see the Cisco Unified CM documentation for requirements and instructions. Configuring MWI relay across trunks does not involve Unity Connection settings. Cisco Unified CM Music on Hold (MOH) feature is not available during supervised transfers for the Cisco Unified CM SIP trunk integration. |
Pre-requisites
Before starting the SCCP integration between Cisco Unified CM and Unity Connection, you need to understand the tasks to be done and the components required for the integration. Below table contains a list of pre-requisites that you must consider to ensure a successful integration.
Pre-requisites | Important Notes |
Install the applicable version of Cisco Unified CM. |
|
Install the applicable version of Unity Connection with a license that enables the applicable number of voice messaging ports. |
|
|
|
If Unity Connection uses IPv6 or dual-mode (IPv4 and IPv6) to communicate with Cisco Unified CM, do the following subtasks:
|
See the “Ethernet IPv6 Configuration Settings” section in the “Settings” chapter of the Cisco Unified Communications Operating System Administration Guide for Cisco Unity Connection Release 11.x at https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/11x/os_administration/b_11xcucosagx.html |
Integration Tasks
Do the tasks mentioned in the following table to integrate Cisco Unified CM with Unity Connection in a standalone or cluster mode through a SIP trunk.
Integration Scenario |
Integration Tasks |
---|---|
Integration between Cisco Unified CM and Unity Connection (Standalone) |
|
Integration between Cisco Unified CM and Unity Connection (Cluster mode) |
|
Note |
If this is the first integration, the first phone system is automatically selected in the default user template. The users that you add after creating the phone system integration are assigned to this phone system by default. However, for each subsequent integration add the applicable new user templates for the new phone system.For details on adding new user templates, or on selecting a user template when adding a new user, see the User Templates section in “User Attributes” chapter of the System Administration Guide for Cisco Unity Connection, Release 11.x available at, https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/11x/administration/guide/b_cucsag.html |
Creating SIP Trunk Security Profile
There must be a calling search space that is used by all user phones (directory numbers). Otherwise, the integration does not function correctly. For instructions on setting up a calling search space and assigning user phones to it, see the Cisco Unified CM Help.
Procedure
Step 1 |
In Cisco Unified CM Administration, on the System menu, navigate to . |
||||||||||||||||
Step 2 |
On the Find and List SIP Trunk Security Profiles page, select Add New. |
||||||||||||||||
Step 3 |
On the SIP Trunk Security Profile Configuration page, under SIP Trunk Security Profile Information, enter the following settings.
|
||||||||||||||||
Step 4 |
Select Save. |
Creating SIP Profile
Procedure
Step 1 |
On the Device menu, navigate to . |
||||||
Step 2 |
On the Find and List SIP Profiles page, select Find. |
||||||
Step 3 |
To the right of the SIP profile that you want to copy, select Copy. |
||||||
Step 4 |
On the SIP Profile Configuration page, under SIP Profile Information, enter the following settings.
|
||||||
Step 5 |
If Unity Connection uses IPv6 or dual-stack IPv4 and IPv6 to communicate with Cisco Unified CM, check the Enable ANAT check box. This step is required to ensure proper handling of callers in an IPv6 or dual-stack environment. |
||||||
Step 6 |
Select Save. |
Creating SIP Trunk
Procedure
Step 1 |
On the Device menu, select Trunk. |
||||||||||||||||||
Step 2 |
On the Find and List Trunks page, select Add New. |
||||||||||||||||||
Step 3 |
On the Trunk Configuration page, in the Trunk Type field, select SIP Trunk. |
||||||||||||||||||
Step 4 |
In the Device Protocol field, select SIP and select Next. |
||||||||||||||||||
Step 5 |
Under Device Information, enter the following settings.
|
||||||||||||||||||
Step 6 |
If user phones are contained in a calling search space, under Inbound Calls, enter the following settings. Otherwise, continue to Step 7.
|
||||||||||||||||||
Step 7 |
If user phones are contained in a calling search space, under Outbound Calls, enter the following settings.
Settings Outbound Calls on Trunk Configuration Page |
||||||||||||||||||
Step 8 |
Under SIP Information, enter the following settings.
|
||||||||||||||||||
Step 9 |
Adjust any other settings that are needed for your site. |
||||||||||||||||||
Step 10 |
Select Save. |
Creating Route Pattern
Procedure
Step 1 |
On the Call Routing menu, navigate to . |
||||||
Step 2 |
On the Find and List Route Patterns page, select Add New. |
||||||
Step 3 |
On the Route Pattern Configuration page, enter the following settings.
|
||||||
Step 4 |
Select Save. |
Creating Route Group
Procedure
Step 1 |
On the Call Routing menu, navigate to . |
||||||
Step 2 |
On the Find and List Route Groups page, select Add New. |
||||||
Step 3 |
On the Route Group Configuration page, enter the following settings.
|
||||||
Step 4 |
Confirm that both SIP trunks appear in the Available Devices field. Otherwise, select Find. |
||||||
Step 5 |
Select Add to Route Group. |
||||||
Step 6 |
Under Current Route Group Members, confirm that the SIP trunk that connects to the subscriber server appears first in the list. You can select the up or down arrows to change the order of the SIP trunks. |
||||||
Step 7 |
Select Save. |
Creating Route List
Procedure
Step 1 |
On the Call Routing menu, navigate to . |
||||||||
Step 2 |
On the Find and List Route Lists page, select Add New. |
||||||||
Step 3 |
On the Route List Configuration page, enter the following settings.
|
||||||||
Step 4 |
Select Save. |
||||||||
Step 5 |
Confirm that the Enable This Route List check box is checked. |
||||||||
Step 6 |
Under Route List Member Information, select Add Route Group. |
||||||||
Step 7 |
On the Route List Detail Configuration page, in the Route Group field, select the Route Group that you created in the “Configuring Unity Connection for Integration” procedure on page 3-12 and select Save. |
||||||||
Step 8 |
When prompted that the route list settings are saved, select OK. |
||||||||
Step 9 |
On the Route List Configuration page, select Reset. |
||||||||
Step 10 |
When prompted to confirm resetting the route list, select Reset. |
||||||||
Step 11 |
Select Close. |
Creating Voice Mail Pilot
Procedure
Step 1 |
On the Advanced Features menu, navigate to . |
||||||||||
Step 2 |
On the Find and List Voice Mail Pilots page, select Add New. |
||||||||||
Step 3 |
On the Voice Mail Pilot Configuration page, enter the following voice mail pilot number settings.
|
||||||||||
Step 4 |
Select Save. |
Setting Up Voice Mail Profile
Procedure
Step 1 |
On the Advanced Features menu, navigate to . |
||||||||||||
Step 2 |
On the Find and List Voice Mail Profiles page, select Add New. |
||||||||||||
Step 3 |
On the Voice Mail Profile Configuration page, enter the following voice mail profile settings.
|
||||||||||||
Step 4 |
Select Save. |
Setting Up Voice Mail Server Service Parameters
If you do not want to set up SIP digest authentication, continue to the “Configuring Unity Connection for Integration” section on page 3-12.
Procedure
Step 1 |
In Cisco Unified CM Administration, snavigate to . |
Step 2 |
On the Service Parameters Configuration page, in the Server field, select the name of the Cisco Unified CM server. |
Step 3 |
In the Service list, select Cisco CallManager. The list of parameters appears. |
Step 4 |
Under Clusterwide Parameters (Feature - General), locate the Multiple Tenant MWI Modes parameter. |
Step 5 |
If you use multiple tenant MWI notification, select True. When this parameter is set to True, Cisco Unified CM uses any configured translation patterns to convert voicemail extensions into directory numbers when turning on or off an MWI. |
Step 6 |
If you changed any settings, select Save. Then shut down and restart the Cisco Unified CM server. |
(Optional) Setting Up SIP Digest Authentication
Procedure
Step 1 |
On the System menu, navigate to . |
Step 2 |
On the Find and List SIP Trunk Security Profiles page, select the SIP trunk security profile that you created in the “Creating SIP Trunk Security Profile” procedure on page 3-4. |
Step 3 |
On the SIP Trunk Security Profile Configuration page, check the Enable Digest Authentication check box. |
Step 4 |
Select Save. |
(Optional) Creating Application User
Procedure
Step 1 |
On the User Management menu, select Application User. |
||||||||||||||||||||
Step 2 |
On the Find and List Application Users page, select Add New. |
||||||||||||||||||||
Step 3 |
On the Application User Configuration page, enter the following settings.
|
||||||||||||||||||||
Step 4 |
Select Save. |
(Optional) Setting up an AXL Server
Do the following configurations if Unity Connection connects to an AXL server.
Procedure
Step 1 |
Expand Telephony Integrations and select Phone System. |
||||||||||||||||
Step 2 |
On the Search Phone Systems page, select the display name of the phone system that you created. |
||||||||||||||||
Step 3 |
On the Phone System Basics page, in the Edit menu, select Cisco Unified Communications Manager AXL Servers. Connecting to an AXL server is needed when Unity Connection needs to have access to the Cisco Unified CM database for importing Cisco Unified CM users and for changing certain phone settings for users of Cisco Unity Connection personal call transfer rules.
|
||||||||||||||||
Step 4 |
On the Edit AXL Servers page, under AXL Servers, select Add New. |
||||||||||||||||
Step 5 |
Enter the following settings for the AXL server and select Save.
|
||||||||||||||||
Step 6 |
Repeat Step 4 and Step 5 for all remaining AXL servers. |
||||||||||||||||
Step 7 |
Under AXL Server Settings, enter the following settings and select Save.
|
||||||||||||||||
Step 8 |
To add a corresponding application server to Cisco Unified CM, sign in to Cisco Unified CM Administration. |
||||||||||||||||
Step 9 |
In Cisco Unified CM Administration, navigate to System > Application Server page. |
||||||||||||||||
Step 10 |
On the Find and List Application Servers page, select Find to display all application servers. |
||||||||||||||||
Step 11 |
In the Name column, select the name of the Cisco Unity Connection server. |
||||||||||||||||
Step 12 |
On the Application Server Configuration page, in the Available Application User field, select the Cisco Unified CM application user that you used in Step 7 and select the down arrow to move it to the Selected Application User field. |
||||||||||||||||
Step 13 |
Select Save. |
Configuring Unity Connection for Integration
After ensuring that Cisco Unified Communications Manager and Unity Connection are ready for the integration, do the following procedure to set up the integration and to enter the port settings.
Creating an Integration
Procedure
Step 1 |
Sign in to Cisco Unity Connection Administration. |
||||||||||||||||||||||||||||||||||||||||
Step 2 |
If you use Cisco Unified CM authentication and encryption, do the following substeps. Otherwise, skip to Step 3. |
||||||||||||||||||||||||||||||||||||||||
Step 3 |
In Cisco Unity Connection Administration, expand Telephony Integrations, then select Phone System. |
||||||||||||||||||||||||||||||||||||||||
Step 4 |
On the Search Phone Systems page, under Display Name, select the name of the default phone system. |
||||||||||||||||||||||||||||||||||||||||
Step 5 |
On the Phone System Basics page, in the Phone System Name field, enter the descriptive name that you want for the phone system. |
||||||||||||||||||||||||||||||||||||||||
Step 6 |
If you want to use this phone system as the default for TRaP connections so that administrators and users without voicemail boxes can record and playback through the phone in Unity Connection web applications, check the Default TRAP Switch check box. If you want to use another phone system as the default for TRaP connections, uncheck this check box. |
||||||||||||||||||||||||||||||||||||||||
Step 7 |
Select Save. |
||||||||||||||||||||||||||||||||||||||||
Step 8 |
On the Phone System Basics page, in the Related Links drop-down box, select Add Port Group and select Go. |
||||||||||||||||||||||||||||||||||||||||
Step 9 |
On the New Port Group page, enter the applicable settings and select Save.
|
||||||||||||||||||||||||||||||||||||||||
Step 10 |
On the Port Group Basics page, do the following substeps if the Cisco Unified CM cluster has secondary servers, or if you want to add a TFTP server (required for Cisco Unified CM authentication and encryption). Otherwise, skip to Step 11. |
||||||||||||||||||||||||||||||||||||||||
Step 11 |
On the Port Group Basics page, in the Related Links drop-down box, select Add Ports and select Go. |
||||||||||||||||||||||||||||||||||||||||
Step 12 |
On the New Port page, enter the following settings and select Save.
|
||||||||||||||||||||||||||||||||||||||||
Step 13 |
On the Search Ports page, select the display name of the first voice messaging port that you created for this phone system integration.
|
||||||||||||||||||||||||||||||||||||||||
Step 14 |
On the Port Basics page, set the voice messaging port settings as applicable. The fields in the following table are the ones that you can change.
|
||||||||||||||||||||||||||||||||||||||||
Step 15 |
Select Save. |
||||||||||||||||||||||||||||||||||||||||
Step 16 |
Select Next. |
||||||||||||||||||||||||||||||||||||||||
Step 17 |
Repeat Step 14 through Step 16 for all remaining voice messaging ports for the phone system. |
||||||||||||||||||||||||||||||||||||||||
Step 18 |
If you use Cisco Unified CM authentication and encryption, do the following substeps. Otherwise, skip to Step 20. |
||||||||||||||||||||||||||||||||||||||||
Step 19 |
Copy the Unity Connection root certificate to all Cisco Unified CM servers in this Cisco Unified CM system integration by doing the following substeps. |
||||||||||||||||||||||||||||||||||||||||
Step 20 |
If another phone system integration exists, in Cisco Unity Connection Administration, expand Telephony Integrations, then select Trunk. |
||||||||||||||||||||||||||||||||||||||||
Step 21 |
On the Search Phone System Trunks page, on the Phone System Trunk menu, select New Phone System Trunk. |
||||||||||||||||||||||||||||||||||||||||
Step 22 |
On the New Phone System Trunk page, enter the following settings for the phone system trunk and select Save.
|
||||||||||||||||||||||||||||||||||||||||
Step 23 |
Repeat Step 21 and Step 22 for all remaining phone system trunks that you want to create. |
Enabling Next Generation Security over SIP Integration
Unity Connection supports Next Generation Security over SIP interface which provides confidentiality, integrity, and authentication through cryptographic algorithms. Next Generation Encryption is more secure as it restricts SIP interface to use Suite B ciphers based on TLS 1.2, SHA-2 and AES256 protocols. In addition to ciphers, Next Generation Encryption also includes third party certificates that must be uploaded on both Unity Connection and Cisco Unified CM. During the communication between Unity Connection and Cisco Unified CM, both ciphers and third party certificates are verified at both the ends. Below is the configuration for Next Generation Encryption support:
Generate and Upload Certificates
Unity Connection uses RSA key based Tomcat certificates and EC key based tomcat-ECDSA certificates (self signed and third party) for next generation security. The settings for each certificate are described in further sections.
Settings for RSA Key Based certificates
Generating RSA Key Based Certificates of Unity Connection
Below are the steps to generate RSA key based certificates of Unity Connection and uploading them on Cisco Unified CM:
Procedure
Step 1 |
On Unity Connection, sign in to Cisco Unified Operating System Administration page. |
||
Step 2 |
Navigate to Security and select Certificate Management. |
||
Step 3 |
If you want to generate self signed certificates of Unity Connection, follow the Step 4 to Step 6. Otherwise skip to Step 7. |
||
Step 4 |
On Certificate Management page, select Generate Self Signed. |
||
Step 5 |
In the Generate Self-Signed window, select tomcat in Certificate Purpose. |
||
Step 6 |
Select Generate. |
||
Step 7 |
To generate RSA key based third party certificates, select Generate CSR on Certificate Management page. |
||
Step 8 |
In the Generate Certificate Signing Request window, select tomcat in Certificate Purpose field. |
||
Step 9 |
In Parent Domain field, enter the complete FQDN of Unity Connection. |
||
Step 10 |
Select Generate. |
||
Step 11 |
On Certificate List page, select Download CSR. This generates the Unity Connection certificates from third party that is Microsoft CA or Verisign. |
||
Step 12 |
Save the leaf certificate of Unity Connection and root/chain certificate of certification authority on your system. |
||
Step 13 |
On Certificate List page, select Upload Certificate/Certificate Chain. |
||
Step 14 |
In the Upload Certificate/Certificate Chain window, select tomcat in Certificate Purpose field. |
||
Step 15 |
Navigate to Upload File, select Browse and upload the Unity Connection leaf certificate generated by third party CSR, which you have saved in Step 12. |
||
Step 16 |
Select Upload. |
||
Step 17 |
On Cisco Unified CM, sign in to Cisco Unified Operating System Administration page. |
||
Step 18 |
Navigate to Security and select Certificate Management. |
||
Step 19 |
On Certificate List page, select Upload Certificate/Certificate Chain. |
||
Step 20 |
In the Upload Certificate/Certificate Chain window, select CallManager-trust in Certificate Purpose field. |
||
Step 21 |
Navigate to Upload File, select Browse and upload the Unity Connection self signed certificate generated in Step 6. To upload Unity Connection third party certificates, browse to the root/chain certificate of third party Certification Authority saved in Step 12.
|
||
Step 22 |
Select Upload. |
Generating RSA Based Certificates of Cisco Unified CM
Below are the steps to generate RSA based certificates of Cisco Unified CM and uploading them on Unity Connection:
Procedure
Step 1 |
On Cisco Unified CM, sign in to Cisco Unified Operating System Administration page. |
||
Step 2 |
Navigate to Security and select Certificate Management. |
||
Step 3 |
If you want to generate self signed certificates of Cisco Unified CM, follow Step 4 to Step 6. Otherwise skip to Step 7. |
||
Step 4 |
On Certificate Management page, select Generate Self Signed. |
||
Step 5 |
In the Generate New Self Signed Certificate window, select CallManager in Certificate Purpose field. |
||
Step 6 |
Select Generate. |
||
Step 7 |
To generate RSA key based third party certificates, select Generate CSR on Certificate Management page. |
||
Step 8 |
In the Generate Certificate Signing Request window, select CallManager in Certificate Purpose field. |
||
Step 9 |
In Parent Domain field, enter the complete FQDN of Cisco Unified CM. |
||
Step 10 |
Select Generate. |
||
Step 11 |
On Certificate List page, select Download CSR. This generates the Cisco Unified CM certificates from third party that is Microsoft CA or Verisign. |
||
Step 12 |
Save the leaf certificate of Cisco Unified CM and root/chain certificate of certification authority on your system. |
||
Step 13 |
On Certificate List page, select Upload Certificate/Certificate Chain. |
||
Step 14 |
In the Upload Certificate/Certificate Chain window, select CallManager in Certificate Purpose field. |
||
Step 15 |
Navigate to Upload File, select Browse and upload the Cisco Unified CM leaf certificate generated by third party CSR, which you have saved in Step 12. |
||
Step 16 |
Select Upload.
|
Settings for EC Key Based certificates
Generating EC Key Based Certificates of Unity Connection
Below are the steps to generate EC key based certificates of Unity Connection and uploading them on Cisco Unified CM:
Procedure
Step 1 |
On Unity Connection, sign in to Cisco Unified Operating System Administration page. |
||
Step 2 |
Navigate to Security and select Certificate Management. |
||
Step 3 |
If you want to generate self signed certificates of Unity Connection, follow the Step 4 to Step 6. Otherwise skip to Step 7. |
||
Step 4 |
On Certificate Management page, select Generate Self Signed. |
||
Step 5 |
In the Generate New Self Signed Certificate window, select tomcat-ECDSA in Certificate Purpose field. |
||
Step 6 |
Select Generate. |
||
Step 7 |
To generate EC key based third party certificates, select Generate CSR on Certificate Management page. |
||
Step 8 |
In the Generate Certificate Signing Request window, select tomcat-ECDSA in Certificate Purpose field. |
||
Step 9 |
In Parent Domain field, enter the complete FQDN of Unity Connection. |
||
Step 10 |
Select Generate. |
||
Step 11 |
On Certificate List page, select Download CSR. This generates the Unity Connection ECDSA certificates from third party that is Microsoft CA or Verisign. |
||
Step 12 |
Save the leaf certificate of Unity Connection and root/chain certificate of certification authority on your system. |
||
Step 13 |
On Find and List Certificates page, select Upload Certificate/Certificate Chain. |
||
Step 14 |
In the Upload Certificate/Certificate Chain window, select tomcat-ECDSA in Certificate Purpose field. |
||
Step 15 |
Navigate to Upload File, select Browse and upload the Unity Connection leaf certificate generated by third party CSR, which you have saved in Step 12. |
||
Step 16 |
Select Upload. |
||
Step 17 |
On Cisco Unified CM, sign in to Cisco Unified Operating System Administration page. |
||
Step 18 |
Navigate to Security and select Certificate Management. |
||
Step 19 |
On Certificate List page, select Upload Certificate/Certificate Chain. |
||
Step 20 |
In the Upload Certificate/Certificate Chain window, select CallManager-trust in Certificate Purpose field. |
||
Step 21 |
Navigate to Upload File, select Browse and upload the Unity Connection self signed certificate generated in Step 6. To upload Unity Connection third party certificates, browse to the root/chain certificate of third party Certification Authority saved in Step 12.
|
||
Step 22 |
Select Upload. |
Generating EC Key Based Certificates of Cisco Unified CM
Below are the steps to generate EC key based certificates of Cisco Unified CM and uploading them on Unity Connection:
Procedure
Step 1 |
On Cisco Unified CM, sign in to Cisco Unified Operating System Administration page. |
||
Step 2 |
Navigate to Security and select Certificate Management. |
||
Step 3 |
If you want to generate self signed certificates of Cisco Unified CM, follow Step 4 to Step 6. Otherwise skip to Step 7. |
||
Step 4 |
On Certificate Management page, select Generate Self Signed. |
||
Step 5 |
In the Generate New Self Signed Certificate window, select CallManager-ECDSA in Certificate Purpose field. |
||
Step 6 |
Select Generate. |
||
Step 7 |
To generate EC key based third party certificates, select Generate CSR on Certificate Management page. |
||
Step 8 |
In the Generate Certificate Signing Request window, select CallManager-ECDSA in Certificate Purpose field. |
||
Step 9 |
In Parent Domain field, enter the complete FQDN of Cisco Unified CM. |
||
Step 10 |
Select Generate. |
||
Step 11 |
On Certificate List page, select Download CSR. This generates the Cisco Unified CM certificates from third party that is Microsoft CA or Verisign. |
||
Step 12 |
Save the leaf certificate of Cisco Unified CM and root/chain certificate of certification authority on your system. |
||
Step 13 |
On Certificate List page, select Upload Certificate/Certificate Chain. |
||
Step 14 |
In the Upload Certificate/Certificate Chain window, select CallManager-ECDSA in Certificate Purpose field. |
||
Step 15 |
Navigate to Upload File, select Browse and upload the Cisco Unified CM leaf certificate generated by third party CSR, which you have saved in Step 12. |
||
Step 16 |
Select Upload.
|
Security Mode Settings
Procedure
Step 1 |
Sign in Cisco Unity Connection Administration. |
Step 2 |
In Cisco Unity Connection Administration, expand Telephony Integrations and select Port Group. |
Step 3 |
On the Search Port Groups page, select the applicable port group. |
Step 4 |
Verify that the Enable Next Generation Encryption check box is checked. |
Step 5 |
Sign in to Cisco Unified CM Administration. |
Step 6 |
Navigate to System > Security and select SIP Trunk Security Profile. |
Step 7 |
On the Find and List SIP Trunk Security Profiles page, select the SIP trunk security profile that you created in the “Creating SIP Trunk Security Profile” procedure on page 3-4. |
Step 8 |
On the SIP Trunk Security Profile Configuration page, verify that the value entered in X.509 Subject Name is the FQDN of the corresponding Unity Connection server. |
Step 9 |
Configure TLS Ciphers as mentioned in sectionTLS Ciphers Configuration. |
TLS Ciphers Configuration
Below are the steps to configure TLS Cipher option in Unity Connection and Cisco Unified CM:
Procedure
Step 1 |
Sign in to Cisco Unified CM Administration page, navigate to Systems > Enterprise Parameters. |
||
Step 2 |
Select the appropriate cipher option from the TLS Ciphersdrop-down list under Security Parameters. |
||
Step 3 |
From the Navigation pane on right corner of the screen, select Cisco Unified Serviceability and select Go. |
||
Step 4 |
On Cisco Unified Serviceability page, navigate to Tools > Control Centre-Feature Services and select Cisco Call Manager under CM Services. |
||
Step 5 |
Select Restart.
|
||
Step 6 |
Sign in to Cisco Unity Connection Administration page, expand System Settings and select General Configurations. |
||
Step 7 |
Select the appropriate cipher from the TLS Ciphers drop-down list. |
||
Step 8 |
From the Navigation pane on right corner of the screen, select Cisco Unity Connection Serviceability and select Go. |
||
Step 9 |
Go to Tools > Service Management and stop Connection Conversation Manager. Once the Connection Conversation Manager service is stopped, start it again.
|
||
Step 10 |
Generate and upload RSA and EC key based certificates as mentioned in section Generate and Upload Certificates. |
Below table lists the TLS Cipher options in priority order of the RSA or ECDSA ciphers.
TLS Cipher Options |
TLS Ciphers in Priority Order |
---|---|
Strongest- AES-256 SHA-384 Only: RSA Preferred |
|
Strongest-AES-256 SHA-384 Only: ECDSA Preferred |
|
Medium-AES-256 AES-128 Only: RSA Preferred |
|
Medium-AES-256 AES-128 Only: ECDSA Preferred |
|
All Ciphers RSA Preferred (Default) |
|
All Ciphers ECDSA Preferred |
|
The negotiation between Unity Connection and Cisco Unified Communications Manager depends on the TLS cipher configuration with the following conditions:
-
When Unity Connection acts as server, TLS cipher negotiation is based on the preference selected by Cisco Unified CM.
-
In case ECDSA based cipher is negotiated then EC key based tomcat-ECDSA certificates are used in SSL handshake.
-
In case RSA based cipher is negotiated then RSA key based tomcat certificates are used in SSL handshake.
-
-
When Unity Connection acts as client, TLS cipher negotiation is based on the preference selected by Unity Connection.
SRTP Ciphers Configuration
If you want to enable Next Generation Security over RTP interface, configure SRTP Ciphers as mentioned below:
Procedure
Step 1 |
Sign in to Cisco Unified CM Administration page, navigate to Systems > Enterprise Parameters. |
||
Step 2 |
Select the appropriate cipher option from the SRTP Ciphersdrop-down list under Security Parameters. |
||
Step 3 |
From the Navigation pane on right corner of the screen, select Cisco Unified Serviceability and select Go. |
||
Step 4 |
On Cisco Unified Serviceability page, navigate to Tools > Control Centre-Feature Services and select Cisco Call Manager under CM Services. |
||
Step 5 |
Select Restart.
|
||
Step 6 |
Sign in to Cisco Unity Connection Administration page, expand System Settings and select General Configurations. |
||
Step 7 |
Select the appropriate cipher from the SRTP Ciphers drop-down list. |
||
Step 8 |
From the Navigation pane on right corner of the screen, select Cisco Unity Connection Serviceability and select Go. |
||
Step 9 |
Go to Tools > Service Management and stop Connection Conversation Manager. Once the Connection Conversation Manager service is stopped, start it again.
|
Below table lists the SRTP Cipher options in priority order of the RSA or ECDSA ciphers.
SRTP Cipher Option |
SRTP in Priority Order |
---|---|
All supported AES-256, AES-128 ciphers |
|
AEAD AES-256, AES-28 GCM-based ciphers |
|
AEAD AES256 GCM-based ciphers only |
AEAD_AES_256_GCM |